Certbot Renewal Cron Job broken on July 8

Testing of eFa 4
Post Reply
warlord
Posts: 15
Joined: 16 May 2019 21:21

Certbot Renewal Cron Job broken on July 8

Post by warlord » 26 Jul 2019 17:28

Hi,

My EFA server took an update and on July 8th and it rewrote (and BROKE) /etc/cron.d/certbotrenew:

Code: Select all

# ls -l /etc/cron.d/certbotrenew
-rw-r--r--. 1 root root 666 Jul  8 05:14 /etc/cron.d/certbotrenew
# cat /etc/cron.d/certbotrenew
0 0,12 awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php root python -c 'import random; import time; time.sleep(random.random() awl.php checklogin.php conf.php connect.php functions.php images includes index.php login.function.php login.php main.css opt_in_out.php 3600)' && certbot renew >/dev/null 2>&1
Obviously this is a completely broken crontab file!! My guess is that this is from this update:
Jul 08 05:15:51 Updated: eFa.x86_64 1:4.0.0-64.eFa.el7

Please see my previous post about the certbot crontab and the crontab getpwnam issues to see what I feel should be the correct contents of this file:

Code: Select all

0 0,12 * * * user python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --post-hook '/usr/sbin/service httpd force-reload' >/dev/null 2>&1

User avatar
shawniverson
Posts: 2818
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Certbot Renewal Cron Job broken on July 8

Post by shawniverson » 26 Jul 2019 19:32

Ugh, good to know, that doesn't look right at all.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

User avatar
shawniverson
Posts: 2818
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Certbot Renewal Cron Job broken on July 8

Post by shawniverson » 26 Jul 2019 19:32

I'll run some tests and prepare an update.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

warlord
Posts: 15
Joined: 16 May 2019 21:21

Re: Certbot Renewal Cron Job broken on July 8

Post by warlord » 26 Jul 2019 20:57

Thanks.

If you could actually take my full-blown suggestion from viewtopic.php?f=19&t=3577&p=14151#p14151 it would be even better. Hat would let us use LetsEncrypt for both HTTP and Postfix and have it do the right thing whenthe cert is updated.

User avatar
shawniverson
Posts: 2818
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Certbot Renewal Cron Job broken on July 8

Post by shawniverson » 27 Jul 2019 12:21

Not everybody wants the certs for postfix, so I will add some logic to choose either scenario.

The cron is mangled because bash dereferenced the *'s, which is my bad. I should have caught that.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

warlord
Posts: 15
Joined: 16 May 2019 21:21

Re: Certbot Renewal Cron Job broken on July 8

Post by warlord » 27 Jul 2019 12:25

Not everybody wants the certs for postfix, so I will add some logic to choose either scenario.
Sure. Configuring LE certs for postfix should absolutely be a separate option. However IMHO restarting postfix when LE certs get renewed is perfectly safe regardless of whether it's using self- or LE certs.

warlord
Posts: 15
Joined: 16 May 2019 21:21

Re: Certbot Renewal Cron Job broken on July 8

Post by warlord » 29 Jul 2019 14:07

Oops, I found one bug above. In the cron job where I say "user" it needs to be "root" (or whatever user cron needs to run certbot as).

Post Reply